Download Hacking Part 1

Hacking Part 1
1
Intro to Network Security
Hacking Part 1
Text:
Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al.
Chapter 15
Objectives:
The student should be able to:
 Define DNS, zone transfer, traceroute, ping, ping sweep, port scanning, finger
printing, banner grabbing, SNMP.
 List the goals, techniques, and 2 countermeasures for Footprinting.
 List the goals, techniques, and 2 countermeasures for Scanning.
 List the goals of enumeration.
 List 6 vendor-independent steps that can protect systems against hackers.
Class Time:
Lecture:
Footprinting
Scanning
Enumeration
Lab 1: Footprinting
Total:
½ hour
½ hour
1 hour
1 hour
3 hours
Hacking Part 1
2
Hacking Techniques & Countermeasures
To break into a location (store, bank) you would:
 Case the joint (security guards, visibility, cameras, …)
To hack into a system the steps include:
 Footprint: Get a big picture of what the network is
 Scan: Identify reachable hosts, services, OS/service versions
 Enumerate: Get specific details on the network OS/services
 Exploit: Take advantage of hacking reconnaissance
Step 1: Footprinting
Footprinting: Gather information about target. Stages include:
 Determine scope of activity: What is out there & what does hacker hope to
accomplish?
 Search company web pages: locations, subsidiaries, contact names,
phone numbers, email, privacy or security policies, links to organization’s
other web servers.
 Monitor HTML comment tags not publicly shown
 Perform open-source searches for info on target: news, press releases
 www.sec.gov EDGAR database lists publicly traded companies:
recently-listed or recently-acquired often vulnerable
 Network Enumeration: Discover networks attached to the domains
 Obtain information from whois databases
 Identify domain names: ms.com and Microsoft.com
 Network Reconnaissance: Learn network topology via DNS interrogation and
network commands (e.g., traceroute)
Network Enumeration Stage
Whois provides information on:
 Registrar: Sponsoring company
 Organizational/Point of contact: Contact information
 Social Engineering: break into company via human interface – via phone
or email, posing as a trusted support person
 War dialers: search for dial up modems
 Network/Domain: DNS server names, CIDR range

Whois databases include:
 www.networksolutions.com (Network Solutions had a monopoly as main
registrar for domain names until 1999).
 www.arin.net : American Registry for Internet Numbers
 www.samspade.org
 www.nic.gov/whois.html
 www.allwhois.com
Hacking Part 1
3
Whois Example:
[bash] whois “Tellurian Net*”@whois.arin.net
Guard Security by:
 Posting fictitious names in whois database
 Keep contact information, contact registration in registry up-to-date
 Ensure secure access to registry (AOL was defrauded in 1998)
Network Reconnaissance
Network Reconnaissance: Learn network topology
 DNS Interrogation: Learn location of web, email, firewall servers
 DNS: Domain Name Server maps IP addresses to hostnames and vice
versa
 Zone transfers dump the contents of the DNS database to a secondary site
(intention: backup site)
DNS Lookup Command: nslookup
…
 set type=any
 ls –d Tellurian.net. >> /tmp/store
ce
1D IN CNAME
Aesop
au
1D IN A
192.168.230.4
1D IN TXT
“Location: Library”
1D IN RP
jcoy.erebus jcoy.who
1D IN MX
0 tellurianadmin-smtp
Above we are asking to use the Tellurian.net DNS server to list all records for the
domain
HINFO:
Identifies platform/OS
MX:
Mail Exchange (Email server)
A:
Internet Address
To Guard Security:
 Prevent or restrict zone transfers to authorized machines/users
 Disable inbound connections to TCP port 53: TCP zone transfer, UDP name
lookups
 However, UDP name lookups sent as TCP requests when > 512 bytes
 Exclude internal network information in external name servers
 Eliminate HINFO records from name servers
 Log inbound connections to port 53 to track potential attacks
Traceroute: Provides list of routers between source and destination
 To run:
 [bash]$ traceroute cs.uwp.edu
 [DOS] tracert
Hacking Part 1


Traceroute can be run from multiple locations to learn multiple entry points
into network
How traceroute operates:
 Traceroute uses ICMP_TIME_EXCEEDED messages
 Windows: Uses ICMP echo request packet
 UNIX: uses UDP or ICMP with –I option
To Guard Security:
 Block ICMP and UDP at network edge (firewall or router)
 Note: Blocking only ICMP or UDP may allow access, since both may be
used
 Use IDS systems to detect traceroute requests
 www.snort.org: Free IDS program detects these
 RotoRouter: www.ussrback.com/UNIX/loggers/rr.c.gz: generates fake
responses to traceroutes.
Step 2: Scanning
Scanning: Finding entries (doors, windows / IP addresses, ports) into the
network
 Host Scanning: Which IP addresses are valid?
 Network Scanning: How is the network routing system organized?
 Port Scanning: Which services are running on which ports?
 Fingerprinting: Which software versions are running on different sockets?
 Active fingerprinting: Send specific messages & observe replies
 Passive fingerprinting: Observe patterns in IP packets
 Stealth scanning: Slow scanning stays under intrusion detection radar
screen
Locating Valid IP Addresses
Ping: Source: Are you there? Dest: Yes I am here
 Send ICMP ECHO; Reply ICMP ECHO REPLY
 Ping Sweep: Search all IP addresses in range to determine active IP
addresses
 When ICMP traffic is blocked: Proceed to port scanning to determine active
addresses
ICMP Queries: Gather timestamps and address masks
 ICMP type 13: Timestamp – how synchronized is the network?
 ICMP type 17: netmask or address mask: Determine IP addresses, routers
4
Hacking Part 1
5
To Guard Security:
 Detect ping sweeps and incoming ICMP traffic for port scans via IDS
 Identify attacker and possible time of attack
 Filter all ICMP traffic
 Filter ICMP TIMESTAMP and ADDRESS MASK packet requests
 Minimal: Allow ECHO_REPLY, HOST_UNREACHABLE, TIME_EXCEEDED
into demilitarized zone (DMZ)
Once in: can use loki tool to tunnel data within an ICMP ECHO packet
Locating Services on Hosts
Port Scanning: Which ports are in a listening state?
Scan types:
 TCP connect scan: Performs 3-way handshake
 TCP SYN: SYN SYN/ACK
 TCP FIN: FINRST (UNIX)
 TCP XmasTree scan: FIN/URG/PUSHRST
 TCP Null: no flagsRST
 TCP ACK: ACK Is firewall stateful?
 TCP Windows: Identify system via window size reporting
 TCP RCP: Identify RCP ports, program names and version numbers
 UDP Scan: If inactive ICMP port unreachable
Port scanners include:
 Nmap or Network Mapper: TCP/UDP, decoy or bogus scans supported to
complicate IDS detection
 Windows scanners: NetScan, SuperScan,
 Strobe: efficient, banner-grabbing, TCP scanning
 Udp_scan (SATAN/SAINT): Fast
 Netcat or nc: TCP & UDP port scanning, verbose options
 NetScan: axfr, whois, ping sweeps, NetBIOS name table scans, SNMP walks,
etc.
Results: Identify system as well as active ports
 Microsoft NT: supports port 139 & 135
 Microsoft 95/98: port 139
 UNIX: 111 Portmapper
To Guard Security:
 Detect port scans using IDS or snort:
 Snort: Free (www.snort.org)
 Disable all unnecessary services
 UNIX: comment out unnecessary services in /etc/inetd.conf
 WINDOWS: Disable services via Control Panel/Services
Hacking Part 1

Scan to find unnecessary services
 Can use www.grc.com to scan your own machine or network
Step 3: Enumerate: Get Specific Details on OS/Services
Fingerprinting: Identifying the system software
Active Stack Fingerprinting: Send messages to determine versions of system
software
 Stack Fingerprinting: Identify host OS.
 Banner Grabbing: Identify applications (including version if possible)
 Identify host OS version: FIN probe, Bogus Flag probe, Initial Sequence
Number sampling, Don’t fragment bit monitoring, TCP initial window size,
ACK value, ICMP message reactions, etc.
Passive Stack Fingerprinting: Monitors network traffic to determine OS
 Tool: Siphon
 TTL: What is initial Time To Live value?
 Window Size: What is the default window size?
 DF: Is the Don’t Fragment flag set?
Automated Vulnerability Tools:
 Nessus/NeWT: Identifies open ports, vendor, type, versions of software
packages.
 Nikto: Identifies web vulnerabilities
 Cheops: Graphical utility integrates ping, traceroute, port scanning
capabilities and OS detection into automatic package that provides network
diagram (routers, hosts…)
 NMAP: T option slows down scan to where it is not recognized by IDS.
 SARA/SAINT: Enumerate vulnerabilities on UNIX
 MBSA/GFI LANguard: Enumerate vulnerabilities for Microsoft products
Manual Tools: Telnet, nc, netcat
Banner Grabbing:
Start up a telnet application to ports in turn:
C:\>telnet <IP_addr> <port_nr>
C:\>telnet 10.10.0.1 80
HTTP/1.0 400 Bad Request
Server: Netscape-Commerce/1.12
Your browser sent a non-HTTP compliant message.
OR use netcat:
C:\> nc –v www.corleone.com 80
<enter>
OR
C:\> nc –n 10.10.0.1 80
6
Hacking Part 1
7
<enter>
Countermeasures:
 Shut down unnecessary services
 Changing the banner is difficult but possible
 Eliminate any entry points: e.g., default passwords
Auditing Checks:
 Be careful of false positives and false negatives!
 Slow responses can result in wrong conclusion
 Banners may not reflect all patches
 Vulnerabilities may be eligible only if combined with a particular version of OS
 Vulnerability tests can have bugs
 A vulnerability may exist – but the context may not exist for the application
 Specific network h/w may impact test (e.g., load balancing, firewall proxies)
Therefore:
 Use two tools to test!
 Determine if vulnerability exist in context of OS, applications, etc.
 Treat information as confidential
Step 4: Exploit
Can include:
 Password Guessing
 Exploit known vulnerabilities of software
 Session Hijacking: Take over existing session
 After Break-In
 Create backdoors for reentry
 Weaken security
Vendor-Independent Steps to Minimize Security Risks
 Ensure machines run minimal services – particularly servers
 Run the most up-to-date versions with patches installed
 Restrict access to services (,data, configuration files) based on need
 Minimize service banners and display warnings against trespassing
 Collect and monitor logs via remote server (login attempts, changes in
permissions, accounts, or log/audit settings, file/printer accesses, etc.)
 Ensure remote administration uses strong authentication and encryption
controls
 Use file integrity checking tools
 Partition services and hardware in network to maximize security!
Hacking Part 1
A Look at Specific Applications
(More can be found in Hacking Exposed: Network Security Secrets & Solutions)
TFTP TCP/UDP 69
 Simple file transfer protocol that sends in cleartext
 Lacks any authentication mechanism
[root$] tftp 192.168.202.34
Tftp> connect 192.168.202.34
Tftp> get /etc/passwd /tmp/crackpasswd
Tftp> quit
Countermeasures:
 Block TCP/UDP port 69 at firewall
 Limit access to the /tftpboot directory
 Avoid tftp
Simple Network Management Protocol UDP 161
 Collects information from the network – and may give it away too.
 “Security Not My Problem”: SNMP read-only mode password is “public”
C:\> snmputil walk <ip_addr> public <objectID>
C:\> snmputil walk 10.10.0.2 public .1.3.6.1.4.1.77.1.2.25
 Can provide usernames, OS version, share names/paths, running services,
etc.
Countermeasures:
 Block TCP/UDP 161 at network perimeter
 Use an excellent password
 Disable SNMP if not required
 Upgrade to latest (more secure) versions of SNMP with authentication &
encryption.
 Use regedt tool to set security option to permit only approved user access
Trojan Ports
 Close off all ports used by Trojan horses: www.doshelp.com/trojanports.htm
 Port 80 (web) can also be used by trojans and other applications when their
normal port is closed
ICMP
 The following ICMP messages should be considered for closing: Ping,
Destination Unreachable, (Subnet) Address Mask Request, Echo, Host
Unreachable, Port Unreachable, Redirect, Time Exceeded, Admin Prohibited
(ACL denied)
A Look at Specific Applications: UNIX
UNIX Remote Procedure Call, TCP/UDP 111, 32771
 The portmapper provides info on RPC programs, versions, protocol, port
8
Hacking Part 1
[root$] rpcinfo –p <ip_addr>
C:\> rpcdump <ip_addr>
[root$] nmap –sS –sR <ip_addr>
Countermeasures:
 Use authentication (and possibly encryption) with RPC
 Block ports 111, 32771 and other RPC ports to outside
 UNIX: port 111
 Sun: port 32771
Network File System, TCP/UDP 2049
 List directories being shared
[root$] showmount –e <ip_addr>
export list for <ip_addr>
/pub
(everyone)
/usr
user
Countermeasures:
 Ensure exported file systems have proper permissions (set read/write
permissions per host)
 Block NFS at network perimeter: TCP/UDP 2049
9
Hacking Part 1
10
Introduction to Microsoft Windows
Before Windows 2000:
Firewall/Router
Mbrowser
H1
WINShost
H2
H3
H4
Primary DC
Has 3 Servers:
 Mbrowser (Master Browser): Lists hosts part of Network Neighborhood
 WINShost: Translates NetBiOS host names to IP addresses
 Primary DC: Primary Domain Controller for Authentication
After Windows 2000:
Firewall/Router
MS Server
H1
H6
H2
H3
H4
H5
Hacking Part 1
11
Has 1 Server which contains:
 Domain Controller with Active Directory (User Accts)
 DNS Server: Domain names and structures: Translates to IP addresses
 Kerberos Server: Top-notch authentication
Integration allows Kerberos authentication control over network accesses
Questions: How can we try to make this network and its data as safe as
possible?
 Disable ports at entry point
 Monitor ports via IDS internally to find worms, inside attackers
 Passwords can be cracked with monitoring
Hierarchical networks
In MS Windows, a hierarchy can include a Forest, Domain, single machine, etc.
Using Domains, authentication and control can occur locally (at machine) or
remotely (at domain server).
 E.g., Administrator or user at domain level can become administrator or user
at local level automatically
 When authentication is applied at the local and remote levels, and for different
groups in different ways, unexpected permissions may arise.
 The gpresult.exe command (XP/2003) provides result permissions.
Local Control: Minimize applications available on a computer
 Component: An application/utility that is installed/removed using the Control
Panel Add/Remove program
 E.g., Internet Information Service (IIS) = Web Service
 Services are part of the OS and can be enabled or disabled: e.g., telnet
 Description of each service:
www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodsp
ects/win2ksv
Remote Control: Objects accessible via Network Neighborhood are called
Shares
 Examples: Printers, files, directories. E.g.: C: becomes C$
 Shares have permissions allocated to them: Everyone = Read (XP & 2003)
Hacking Part 1
12
SMB: Server Message Block Application
 Supports File Sharing, Print Sharing, and Group Policy transmission services
associated with LAN Manager, Microsoft Networking
 Client/Server protocol controlling printers, named pipes, mail slots, and APIs,
including Microsoft Explorer.
 Has two levels of security
 Share – E.g., Shared printer, shared disk. Each share has a password
 User – Each user logs onto server and each file has permissions
associated with it.
 Usernames/Passwords retained in Domain Controller for a domain
 Windows NT: Security Accounts Manager (SAM)
 Login & Service name sent in cleartext.
 Encrypted password can be cracked
 Windows 2000: Active Directory & Key Distribution Center (Kerberos)
 Secure encryption and authentication
 SMB can require Digital Signatures (optional): HKEY_LOCAL_MACHINE,
Enable or Require Security Signature
 Shares have a tree structure.
SMB Protocol Stack:
SMB
NetBIOS
TCP/IP
IPX/SPX
NetBEUI
Data Link
Physical
Name Services
Name Service Before Windows 2000:
Name Service: Maps drive letters E:, F:, printer ports LPT1: to SHARE names or
Universal Naming Convention (UNC) names.
Redirector: Translates requests from Network services to SMB requests for
name service translation. SMB can choose:
NBT: NetBIOS over TCP/IP
 NBT used by Workstation Service, Server service, Browser service,
Messenger service, Net Logon service.
 NBT is used to communicate with earlier OS: Windows NT, 95, 98
 NBT is needed for mixed-mode networks to support earlier Windows
computers.
 Uses Port 139
Hacking Part 1
13
Name Service after Windows 2000:
Direct Hosting: DNS is used instead of NetBIOS
 Can be used with Windows 2000 & later XP in ‘Native Mode’
 By default in Windows 2000, both NetBIOS and direct hosting are enabled,
but one can be disabled.
 Uses Port 445
To Disable NetBIOS support
 StartSettingsNetworkDial Up Connection
 Right click Local Area ConnectionProperties
 Select IP (TCP/IP)  Properties  Advanced  WINS tab
 Select Disable NBT
All computers must be Windows 2000 or later
Protocol Layer Architecture
NetBIOS Interface (Pre-2000):
NETAPI32.DLL (user mode)
NetBIOS Emulator (kernel mode)
mode)
TCP/IP (NetBT) or NBF
NDIS
NIC Driver
Windows Socket Interface (Post-2000):
WSOCK32.DLL (user mode)
Windows Socket Emulator (kernel
TCP/IP
NDIS
NIC Driver
NDIS: Network Driver Interface Specification: Standard defining the interface
between MAC & Higher level protocols.
NetBT or NBT: NetBIOS over TCP/IP
NBF: NetBIOS Frame Protocol
 NetBEUI (Enhanced User Interface) is precursor protocol of NBF
 Replaces TCP/IP or sits above TCP/IP
 Not routable without TCP/IP
 Connection-oriented and connectionless
Hacking Part 1
14
MS Windows Internal Ports
Before Windows 2000
 NetBIOS Name Server: UDP 137 (NBT name service)
 NetBIOS Datagram Server: UDP 138: Can send a datagram with a short
message (text)
 NetBIOS Session Server: TCP 139 (NBT name service, SMB)
After Windows 2000:
 Domain Name Server (DNS): UDP 53
 Lightweight Directory Access Protocol (LDAP): Selecting My Network Places
to search to in Active Directory Server
 TCP/UDP 389; TCP port 3268
 TCP 3269: Global Catalog
 TCP 636: LDAP SSL
 SMB Direct Hosting: Selecting a particular service within My Network Places:
TCP port 445
 Kerberos: Encrypted Authentication: TCP/UDP 88.
 TCP/UDP 464
 TCP 544: KShell
Other Local Services:
 Terminal Server: TCP 3389
 DHCP:
 DHCP Manager: TCP 135
DHCP Lease: UDP 67-68
A Look at Specific Applications: Microsoft
NetBIOS Name Service Enumeration UDP 137
 NetBIOS Name Service is the precursor to DNS (before Windows 2000)
 Lists all domains on the network:
C:\> net view /domain
 Lists all computers within a domain:
C:\> net view /domain:computer1
 Lists the system name, the domain, logged-on users and running I-net
services
C:\> nbtstat –A <ip_addr>
C:\> nbtscan <ip_addr>/<CIDR extension>
Countermeasures:
 Block UDP 137 at firewall and routers. (This does disable NetBIOS name
resolution across routers.)
 To prevent user data showing up, disable Alerter & Messenger services on
individual hosts
NetBIOS Session Enumeration, TCP 139, 445
Hacking Part 1

15
Used for Windows File & Print Sharing system’s Server Message Block
(SMB) protocol
 Null session may get access to network information, users, groups, Registry
keys, etc.
C:\> net use \\<ip_addr>\IPC$ “” /u: “”
 Many tools exist – one tool is the user2sid and sid2user tools, which offer
account names.
C:\> User2sid \\<ip_addr> “domain users”
C:\> Sid2user \\<ip_addr> <sid> <rid>
 Another tool shows password policies, user names, etc.
C:\> enum –U –d –P –L –c <ip_addr>
Countermeasure:
 Block TCP 139 at network perimeters.
 Disable SMB services on Network & Dial-up
Connections/Advanced/Advanced Settings/unbind File & Print Sharing OR
 Disable enumeration via regedt32 tool at
HKLM\SYSTEM\CurrentControlSet\Control\LSA, by changing Restrict
Anonymous value to 2 (if not available: 1)
 Additional security measures are listed in Hacking Exposed to prevent
Registry enumeration, etc.
 To disable Port 445 select (Windows 2000 & later):
Network & Dialup Connections/Advanced (Bar)/Advanced Settings
Deselect File & Printer Sharing for MSN Networks
 To disable Port 139: (Windows 2000 & later)
Network & Dialup Connections/Properties of Internet/Advanced button/WINS
tab/Disable NetBIOS over TCP/IP
Active Directory TCP/UDP 389, 3268
 Lightweight Directory Access Protocol (LDAP) can browse the Active
Directory
 Can provide list of all users and groups via ldp tool
Countermeasures:
 Block TCP/UDP 389, 3268 at firewall, external routers.
 Run Active Directory in native mode, with a network of Windows 2000 and
later nodes
Auditing Microsoft Help
Web pages for MS Windows for security tools, checklists, and guides:
 www.microsoft.com/technet/security/chklist/default.mspx
US National Security Agency:
 www.nsa.gov/snac/index.cfm
US National Institute of Standards and Technology (NIST)
 www.csrc.nist.gov